Even in the final sitting week of the last legislative period, no majority could be reached for the government’s draft of the NIS-2 Implementation and Cybersecurity Strengthening Act (NIS2UmsuCG). As a result, the implementation of the NIS-2 Directive in Germany is delayed indefinitely. Following the federal election on February 23, 2025, the newly elected government will have to revisit the issue – especially since the EU has already initiated infringement proceedings due to the missed implementation deadline. The legislative process will need to be restarted from scratch, making it unlikely that the NIS2UmsuCG will come into force before the end of 2025.
For many critical infrastructure (KRITIS) companies and energy providers, the legitimate question arises: what happens next with compliance audits under § 8a (3) BSIG and the SzA audits under § 11 (1f) EnWG? Since the NIS2UmsuCG will not come into force for the time being, the current legal framework remains in place. Companies that submitted compliance evidence in 2023 must do so again in 2025 as part of the regular cycle, submitting their documentation to the BSI.
In addition, new requirements under GAiN 2.0 and RUN will come into effect in 2025. GAiN defines binding specifications for audit execution and evidence submission, while RUN will establish mandatory maturity levels for KRITIS audits starting April 1, 2025. These maturity levels will be assessed by auditors across various domains – for example, in technical and organizational measures.
As an accredited audit body, we recommend that affected companies begin preparing early for the upcoming audits to ensure timely submission of evidence to the BSI. We are your reliable partner – supporting you throughout the preparation and execution of audits, as well as in compiling the required documentation.
Be proactive and prepare specifically for the implementation of NIS-2 requirements. With our many years of experience and practical solutions, we help you position yourself optimally. Feel free to contact us – we provide comprehensive support in meeting legal requirements and strengthening your cybersecurity.